From

Thank you

Sorry

Forget expensive IDSes, host-based IDSes, and unified threat management appliances. Here’s how to really get the best security bang for your buck:

1. Prevent the installation or execution of unauthorized software or content. Learn what is running on your computers and why. If you don’t know what’s on your systems, you can’t protect them adequately.

5. Practice deny-by-default and least-privilege whenever possible. When developing least-privilege security policies, use role-based security. Instead of one “IT security group,” you should have a group for each IT role.

6. Define and enforce security domains. Who needs access to what? What types of traffic are legitimate? Answer these questions and then design perimeter defenses. Take baselines and note abnormal traffic.

7. Encrypt all confidential data whenever possible, especially on portable computers and media. There’s no excuse for not doing this -- the bad PR you’ll get from lost data (see AT&T, U.S. Department of Veteran Affairs, Bank of America) should be reaspm enough.

8. Update patch management for OSes and all applications. Have you patched Macromedia Flash, Real Player, and Adobe Acrobat lately?

9. Implement anti-virus, anti-spam, and anti-spyware tools on the gateway and/or at the host-level.

10. Embrace security by obscurity. Rename your admin and root accounts to something else. Don’t have an account called ExchangeAdmin. Don’t give your file servers names such as FS1, Exchange1, or GatewaySrv1. Put services on non-default ports when you can: You can move SSH to 30456, RDP to 30389, and HTTP to 30080 for internal use and business partners.

12. Track where everyone browses on the Internet and for how long. Post the findings on a real-time online report that is accessible by anyone. This recommendation tends to make users’ Internet surfing habits self-policing. (I bet it will also lead to a sudden increase in productivity.)

13. Automate security. If you don’t automate it, you won’t do it consistently.

I know I left out lots of other things, such as physical security, but this is a better-than-good start. Pick one recommendation and focus on implementing it from beginning to end. Then start on the next. Skip the ones you can’t implement and zero in on what you can do. And if you absolutely must have that pricey IDS, go get it -- but not until you’re done covering these basics.